Last Call Review of draft-ietf-regext-change-poll-10
Reviewer: Valery Smyslov
Review result: Ready with Nits
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
This draft defines an extension for an Extensible Provisioning Protocol (EPP, RFC 5730)
that allows servers to notify clients about operations which were not
initiated by clients, but which modify state of client-sponsored objects.
The extension is defined using standard EPP mechanism for adding extensions,
so Security Considerations from RFC 5730 are applied and no new ones are added.
Keeping long message queues consume server resources and can
potentially be a surface for DoS attack, however as far as I understand
unauthorized entities cannot cause server to perform actions resulted in
operations on other clients' objects, so it seems that it is not a security issue here.
Nevertheless adding a few words that it is not a security issue would be helpful.
General comment not related to security. It seems to me that the protocol description
is inconsistent. The Introduction Section states, that this extension only extends
the response to the EPP <poll> command. However, Section 3 of this specification,
which describes the EPP Command Mapping, extends only the response
to the EPP <info> command with poll message, and the <poll> command is not mentioned
there at all. I'm not familiar with the EPP protocol, but I believe that <info> and <poll>
are different commands, so unless I've missed something, it seems that the protocol
description is inconsistent (or incomplete). Since it is not related to security,
I think the document is Ready (from security perspective), but this inconsistency
must either be fixed or some clarification be provided.